search menu icon-carat-right cmu-wordmark

CERT Basic Fuzzing Framework Update

Hi, folks. We've recently updated the CERT® Basic Fuzzing Framework (BFF). The new BFF 1.1 contains new functionality and improves performance.

The BFF is a framework to perform file mutation fuzzing for Linux applications. Since the initial release of the BFF, we have made some improvements:

The virtual machine

  • We upgraded the OS to the testing version of Debian ("Squeeze"). In the process of installing applications to fuzz, I noticed that some of them required libraries newer than what are available in the stable version of Debian. The VM used by the BFF is more modern.
  • The virtual machine now includes a generic VESA video driver in addition to the VMware driver. This can simplify the use of the BFF with other virtualization products, like VirtualBox.

The scripts

  • In some cases, the gdb process would hang during a fuzzing run, which can result in resource exhaustion. The gdb process is now properly killed when its timeout expires.
  • BFF 1.0 discarded crashes caused by the SIGABRT signal. The reason for this was to ignore, by default, crashes that were the result of a failed assertion. However, this feature was also discarding heap corruption crashes that were caught by glibc. BFF 1.1 now investigates SIGABRT crashes to determine if they are the result of a failed assertion. Only failed assertion crashes are discarded by default.
  • The script has been refactored for improved performance, sanity, and modularity. (Thanks Allen!)
  • The BFF now performs automatic crashing testcase minimization via fuzzdiff. (Thanks Dan!)

Download BFF 1.1

About the Author